Recently we had a security problem. One email account which is based on MS Exchange 365 was hacked and the hacker forwarded all emails per rule to a Gmail account.

I checked all relevant PCs and I didn't find any viruses. And I changed the passwords. But in this case changing the passwords didn't change anything because the rule which forwarded all the emails also worked after I changed the passwords.
The forwarding only stopped once I discovered that such a rule was setup and then I deleted the rule.

How common is this hack? I never heard or read about it before.
It is also still a mystery for me how the attacker accessed the email account. Probably he stole the password somewhere but I can't figure out how.

I'm afraid that (as I'm sure you realize) no one is going to be able to tell you how the account was compromised. There are simply far too many vectors, and you're the only who is going to be able to find out (although even that's not a guarantee). You already checked any "local" machines of the affected user for signs of unauthorized access, either physical or via malware. It's possible you missed something, but if this was caused by a leaked password then you'll probably never find any evidence anywhere, unless the password shows up on HIBP (which doesn't always happen).
– Conor ManconeJul 25 at 13:31

How did you discover the hack initially?
– Conor ManconeJul 25 at 13:35

ouch. #2 is potentially the most painful. Also called Mandate Fraud. Here's what it looks like from the other side (although it isn't pretty) money.stackexchange.com/questions/106081/… You should also confirm that you have SPF/DKIM/DMARC properly configured for your domain. This makes spoofing your email addresses slightly harder for an attacker
– Conor ManconeJul 27 at 11:13

2 Answers
2

In my professional experience, this is not a common step from "hackers". However, I don't have any hard numbers to back that up, so I wouldn't take that statement as anything more than anecdotal evidence.

However, it's worth stating the obvious about why the hacker did this. What it really comes down to is that the attacker used this, effectively, as a hidden backdoor to continue to maintain access even after initial discovery. Indeed, this is what happened, as the attacker continued to get copies of all emails even after you reset the password on the email account. Working on the assumption that this attack scenario is less common, it suggest that this might be a more targeted attack, which is worth further scrutiny.

The fact that the hacker took this additional step means that they were interested not just in full access to the account, but that they were also interested in read-only access to incoming emails. There are three main uses I can think of for read-only access to a user's email:

1. Compromising further accounts

As long as they receive a copy of all emails, they can reset the password for any third-party accounts that the affected email address is registered with. After all it usually just takes that "reset" link to reset a password, and if they trigger a password reset they'll get a copy of the link too. They will no longer be able to delete the reset email in the original inbox, which might cause suspicion, but that won't stop them from resetting account access anyway - it just might mean they get caught quicker.

If you found out about the hack because the attacker used their access to break into other accounts, then this forward rule may simply be an attempt to extend their access and allow further "damage" even after the initial discovery. This is probably the least-painful scenario (for you).

2. Intercept business transactions (aka Mandate Fraud)

One scam I have heard of is attackers intercepting legitimate business transactions by having access to internal information from the billing team, typically for larger transactions. To pick a random example, imagine you were a roofing company and the person who owns this email address is on the billing team. They email a customer a $15,245.36 invoice and instruct them to send a check to your office. The hacker sees the same email and follows up to the customer a couple hours later with a spoofed email from the same email address (but with a different reply-to) that says, "Oh wait, there was a mistake in my last email. Please send that $15,245.36 to this address using this other payment method". This can be a very effective scam. By spoofing the same email address and injecting themselves into the conversation with full knowledge of the details of the transaction, it can be very easy to convince the person on the other end to simply do as instructed without even raising any red-flags.

If the email address belonged to someone on your accounting team, I might be worried about this kind of situation - such attacks definitely do happen.

3. Good old fashion snooping

It could be that the person wanted to have access to otherwise privileged information. This might be the case if, for instance, the compromised account belonged to someone in upper management. One example would be a lower level employee that had brief an unsupervised access to the managers computer. If the machine was left unlocked they could easily launch outlook and setup a forwarding rule in (probably) 30 seconds with practice.

I mention an employee simply because they are probably someone more likely to be "generally" interested in someone's emails without necessarily having a specific goal. While such an attack can generally be very easy to perform in an office environment, it's also obviously a bit risky, so it isn't on the top of my list of possibilities.

Summary

All this to say: personally I think this is less common, so I would be concerned that the attacker had a specific goal in mind for this particular account. I could be overly paranoid though. What this means is that it is worth considering exactly what an attacker might have to gain by continuing to have read-only access to this particular user's account. If they are someone with access to sensitive information about your company, I would be more worried.

If the attacker was able to execute PowerShell in your environment he or she could have used the Set-Mailbox cmdlet to do this. It can set up forwarding for any user and leave a copy in the original mailbox so it’s quite transparent.

Your bigger concern is: someone is able to run PowerShell in your environment with the permissions of your Exchange admin and you have not found them yet.

Possible. But setting up a rule in Outlook or OWA takes about a minute and is a lot easier than using PowerShell. And it can be done on a user-account without admin rights.
– EdgarJul 25 at 11:23

True, if just the password for this user had leaked. But an attacker with an ordinary users password will still attempt to escalate it to admin, because that’s what attackers do. And it would not leave their IP address in the OWA access log.
– GaiusJul 25 at 11:30

1

If the attacker had physical access, he could've used a bash bunny or something similar to execute this within a few seconds. Apart from that: powershell is a common tool leveraged by malicious actors (and penetration testers alike) - just because it is perceived as hard should not rule out it's usage by an attacker.
– mhrJul 25 at 11:30

1

Also, a hacker lives all day everyday in the command line. What is “a lot easier” for him or her, vs an average user, is very different.
– GaiusJul 25 at 11:34

I think your overly focused on powershell and the command line. There are many ways to set forwarding rules, and by focusing on just PowerShell, you can easily lead someone in the wrong direction and cause them to miss other potential points of entry. Finally, the idea that a "hacker" lives all day everyday on the command line is an extremely broad characterization, and just not correct.
– Conor ManconeJul 25 at 13:26